The broad lesson from FireEye's recounting of the attack is startling and clear: Even one of the most prominent cybersecurity companies has trouble ensuring its employees follow the most pedestrian security advice for their personal online accounts.

The attackers - a group calling itself 31337 - did not breach the company's corporate network or the analyst's computers but instead several of his personal online accounts, FireEye says. But 31337 did find and release three corporate documents from those accounts. FireEye has notified the two affected customers (see Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst).

The breach illustrates a widely known risk: employees using personal accounts for work-related business. The security of those documents and information is then dependent on the security practices of the user, which may not meet the standards required on a corporate network.

But the inappropriate use of personal accounts is difficult to stop. Users often lean toward convenience over security when trying to get work done.

"We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts," writes Steven Booth, FireEye's vice president and chief security officer, in a blog post.

The company says it is still investigating the breach, although it doesn't expect any "significant new discoveries."

Operation LeakTheAnalyst

The attack came to light around July 31, when the hacking group began posting data on Pastebin, the online bulletin board favored for anonymous dumps of information.

The group released a 32 MB file titled "Mandiant Leak: Op. #LeakTheAnalyst." It claimed the data came from Adi Peretz, a senior threat intelligence analyst at FireEye's Mandiant consulting services unit. FireEye's blog post did not name Peretz and instead refers to him as a victim.

The group also claimed to have network topology information for FireEye's malware analysis lab along with details on FireEye contracts and licenses. It also obtained some of Peretz's personal and business emails. Peretz's LinkedIn account was defaced, and the hackers claimed it had compromised his Outlook.com account.

Some of what the hackers claimed turned out to be true. The investigation found that several of Peretz's personal accounts were compromised, including LinkedIn, Hotmail and OneDrive accounts.

A deeper probe found out why: Peretz was one of tens of millions of victims of massive data breaches over the past few years. FireEye writes that his login credentials for his social media and email accounts were exposed in "eight publicly disclosed third-party breaches," including LinkedIn. The hacking group started accessing his accounts last September.

Last year, many prominent online companies, including Yahoo, LinkedIn, Dropbox and more, discovered their systems had been pilfered of login credentials from attacks that in some cases occurred years ago (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

That data has been circulating in the cybercriminal underground and has fueled what are known as "credential stuffing" attacks, where the leaked credentials are recycled in an attempt to take over accounts (see Here Are 306 Million Passwords You Should Never Use).

Some of 31337's other claims and documents turned out to be bogus. Other documents and screen captures that were released consisted of either already-public information or images fabricated by the attackers, FireEye says.

Security Workover

Peretz's online security posture has since been given a thorough workover, something he might not have ever expected to happen from his own company.

Booth writes that FireEye disabled his corporate accounts and also helped him regain control of his compromised accounts. "We worked with the victim to secure his personal online accounts, including implementing multifactor authentication where possible," Booth writes.

Two-factor authentication can often prevent an attacker from accessing an account even with valid login credentials. It usually involves entering a time-sensitive passcode generated by either an application or sent over SMS, although the latter distribution method is falling out of favor due to security concerns.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.